November 2, 2023

Last Updated on January 16, 2024

To demonstrate CMMC compliance so you can participate in US Department of Defense (DoD) contracts, many defense suppliers will eventually need to pass an external certification audit with a Certified Third-Party Assessment Organization (C3PAO) at CMMC Level 2.

Organizations can request a CMMC Level 2 certification audit before CMMC is finalized through the Cyber AB’s voluntary assessment process. But are there other ways to demonstrate compliance/alignment with CMMC standards before committing to an external certification audit?

This blog posts offers some suggestions for US defense industrial base (DIB) orgs that need to show customers, US government agencies, or other stakeholders that they have met or will soon meet CMMC standards and can safeguard controlled unclassified information (CUI).

Self-attest to compliance with NIST 800-171

CMMC is based on the NIST 800-171 cybersecurity standard to protect CUI. Since late 2016, the DoD has required its contractors to self-attest to their level of NIST 800-171 compliance by posting a compliance score to its Supplier Performance Risk System (SPRS) database.

If your company has posted a score of 110 in SPRS—indicating full NIST 800-171 compliance—within the past three years, and that score remains valid, then it serves as evidence of de facto CMMC Level 2 compliance.

If your score in SPRS is below 110, you can provide more information to stakeholders by documenting a Plan of Action and Milestones (POA&M). A POA&M can detail how and when you will achieve full NIST 800-171 compliance, showing your cybersecurity commitment and progress.

Prove compliance with another cybersecurity framework

The path to CMMC certification can be complex. As an interim/supporting step, organizations could potentially validate their ability to protect CUI by showing compliance or alignment with another robust cybersecurity standard or framework besides CMMC or NIST 800-171, such as:

  • ISO 27001
  • SOC 2
  • NIST 800-53
  • The NIST Cybersecurity Framework (NIST CSF)
  • FedRAMP
  • The Federal Information Security Management Act (FISMA)
  • The Building Security In Maturity Model (BSIMM)
  • The Software Assurance Maturity Model (SAMM)

While some standards require third-party audits to prove compliance (e.g., ISO 27001), you can assert compliance with many standards (e.g., BSIMM) through a rigorous self-assessment that includes your policies and procedures, documentation, network security, access controls, and incident response capability. You can also hire an independent third-party to audit and attest to your compliance with a cybersecurity standard.

Create a System Security Plan

As a prerequisite for CMMC Level 2 or CMMC Level 3 certification, DIB orgs must create a System Security Plan (SSP). The purpose of an SSP is to overview and present specifics on how your security controls meet applicable requirements to safeguard CUI.

Your SSP should diagram the flow of CUI between systems and networks, including authentication and authorization processes. It should also cover company guidelines, security policies, and administrative duties pertaining to CUI.

It is vital that your SSP be up to date and accurate for your current CUI environment to serve as evidence of your CMMC compliance status.

Conduct a CMMC internal audit

A CMMC internal audit reviews your security controls to ensure they meet CMMC requirements and support business objectives. An internal audit should:

  • Validate that you can produce artifacts to document operation of your controls, which you’ll also need for an external audit
  • Identify any and all gaps and nonconformities within your cybersecurity posture where you fall short of CMMC compliance

As with an external compliance attestation, an independent third-party can help make your internal audit process more effective and accurate to demonstrate an improving cybersecurity posture on the way to CMMC compliance.

What’s next?

Whatever your goals and timeframe for CMMC certification, a CMMC Registered Provider Organization like CBIZ Pivot Point Security can offer recommendations, consulting, internal audit support, and other services to guarantee success, efficiency, and useful knowledge transfer.

Contact us to speak with a CMMC expert about your cybersecurity program, your overall compliance picture, and how we can help you achieve successful CMMC certification.